In my humble abode, the RT-AC66U is the core of my home network, providing DHCP and Wireless to a plethora of devices. However, I am also running a small home lab which I need to be able to access from my home desktop. Hence the need for static routes.

Specifically, my home lab hosts the following networks; 10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24. The IP address of my ASUS RT-AC66U is the default one of 192.168.0.1. My desktop is on the 192.168.0.0/24 network.

In order for me to access my lab from my desktop (and from the rest of my home network), I need to tell my ASUS how to route traffic destined for my 10. networks.

In order to accomplish this, we first need to navigate to LAN on the left pane, and then selecting the Route tab.

As shown in the screenshot above, we first need to select the “YES” radio button to “Enable Static Routes”. Next we enter a network ip (or static ip — if that’s what we are up to) into the “Network/Host IP “field. Then we enter our netmask into the field that is not surprisingly labeled “Netmask”. In my case my netmask is 255.255.255.0.

Now we move on to the field labeled “Gateway”. Here we need to enter what the next network hop for that a packet that is needs to route to our lab network. In my environment, this is 192.168.0.11, which is another router.

Then select “LAN” from the drop down as all our traffic will route to the internal LAN only, and not out to the internet or WAN. Now click the plus sign to add your new route.

Now when a packet destined for one of my lab networks outlined above hits my ASUS router, it will be forwarded to 192.168.0.11, which is my lab router.

Note that you can also add static routes via the busybox command line, however I am not going to go into that today. Its simple enough to add them in the WebUI.

I am having trouble getting my static routes to work. After I set them up I can ping the final IP but am unable to connect to the GUI. Is there anything else you have to set in the Asus GUI to allow traffic between the two networks?

David, can you elaborate? I read your post a few times, but I am not exactly clear on the exact situation. For example, do you mean that after you add your static route, you can then ping an IP in the address space of the route? What do you mean by you cannot connect to the GUI? Do you mean from your workstation? Or from the IP that you pinged previously?

Note that you are not actually configuring the router to allow traffic between the two networks, rather you telling the router to redirect certain network traffic (for the designated ip ranges) to take a specific next network hop, instead of the default one that would normally be out to the internet. The next hop needs to know what to do with this traffic and where to send it so that it can get to its destination. The next hop also needs to know how to send traffic back to the asus router. Is your next hop router plugged directly into the asus router?

Settings
Network/Host IP “192.168.171.0”
Netmask “255.255.255.0”
Gateway “192.168.0.171”
I can successfully ping 192.168.171.10 from my computer at 192.168.0.xx
When I enter 192.168.171.10 into Firefox or Chrome I am unable to connect to the user interface.
192.168.0.171 is connected wireless to the Asus router.

When i remove the routes on the router and set them up on my computer everything works fine. I want the routes on the router so I can also access with other devices.

I have an ASUS RT-N66U connected to a Cisco router. I have the ASUS set up with a static route such as 100.100.100.0 255.255.255.0 (for a lab subnet behind the Cisco router) pointing to next hop 192.168.1.100 (Cisco router interface connected to ASUS). Similarly, on the Cisco router I have created a default route 0.0.0.0 0.0.0.0 pointing to 192.168.1.1 (which is my ASUS router interface). This works great, I can access public DNS servers and ping google.com from my Cisco router. From my laptop I can ping devices in the 100.100.100.x subnet. So basic IP connectivity is fine…. BUT…. from my Laptop I can’t connect to TCP port 80, 443, or 8443, or whatever in the destination subnet 100.100.100.x as long as the traffic must traverse the ASUS. Wireshark shows my outbound requests and no response packets. There are no ACLs on my Cisco router. I verified when directly connected to the 192.168.1.x subnet on the Cisco router- I *can* connect to various TCP ports on my destination servers, which shows they are working fine. This points the finger clearly at ASUS doing the blocking.

Is there a setting on ASUS to ensure wide open connectivity between wireless and wired Ethernet ports, including for any static routes? I also want to preserve the firewall functionality to protect the LAN and wireless from inbound requests via the WAN.

I figured out an ugly hack… telneting in, looking at iptables -L FORWARD -v to see which rules were getting hit, and I verified incrementing counters on the ‘any any INVALID rule’ (it’s the third one in my version of the firmware). As soon as I deleted this rule (e.g. iptables -D FORWARD 3) it enabled my access to webservers on that subnet.

I don’t think this is a safe long term strategy because the rule is ‘any any’. I’m still trying to figure out where the nonvolatile config is stored so I can modify it, and trying to figure out a more surgical modification, such as a permit rule for ‘br0 br0 INVALID’ ahead of the block rule for ‘any any’ INVALID. That way invalid packets that are attack attempts coming in via eth0 (i.e. “the internet/WAN”) would still be blocked but my traffic between ports on the bridge interface would still get through. Progress though!

My final solution (working) that is good enough for me: instead of doing “iptables -D FORWARD 3” to delete the offending drop rule… I insert a rule above that accepts INVALID as long as the input and output interfaces are br0 (i.e. inside of my network- not the Eth0 WAN interface). Just type this after telneting into the router:
iptables -I FORWARD 3 -i br0 -o br0 -j ACCEPT

Of course, this presumes the third rule in your list is the offending INVALID line, and you want to open a little hole just in front of it. Note the following output that shows which rules are getting hit before and after, where you can see the INVALID rule dropping packets before the change, then the new rule I added hitting after the change, where the desired packet flow is actually working now.

So now that I have had a chance to think about this, it kinda makes sense. The router only allows http connections from its local network. If I recall there is a setting to allow connections from WAN, I wonder if this will also allow connections from your other internal networks. Not that you want to also allow access from the WAN, but this might be the setting that would allow the access you want.

I am suffering the same issue with an AC68U and routing to another network. I am using raspberry pis as OpenVPN servers with a remote site. When the static route is setup on the router I can ping the other networks devices but I can’t connect via RDP, SAMBA, HTTP etc. I can see the rejected package counter going up when this is happening.

If I use a little TP-Link WR710N connected to my AC68U via WISP mode and set the route on this; I can fully access the other network.

I have raised a support ticket with Asus UK and am talking with PeterS about this issue.